I'm having an issue getting failed logins to Windows servers to log
correctly to alerts.log.
I've created a log in fail and confirmed the Windows event logs show this
as ID 4625.
Checking in the rules directory on the OSSEC server this appears within the
field of the msauth rule file (ID 1810
Hey all, bit of a strange issue here.. If I log in/out of a server the
event will be logged into the alerts.log file perfectly fine, but when
viewing the logs in a browser through the web interface the Src IP field
lists the username but it does so incorrectly, it appears that the first
charact
On Tue, 9 Dec 2014, Eero Volotinen wrote:
I'm looking to avoid having to worry about disk space for this sort of
config.
You must be joking? Disk space is _very_ cheap nowadays and it's also
possible to use compression ..
Unless you are using "enterprise class" datacenter storage systems. y
On Mon, 8 Dec 2014, Rick McClinton wrote:
David,
Eero is right that disk space is relatively quite inexpensive these days; I
think lots of us are more concerned with log retention against future audit
needs than with disk usage. Anyway, it's pretty easy to set up cron
scripts for log file clean
David,
Eero is right that disk space is relatively quite inexpensive these days; I
think lots of us are more concerned with log retention against future audit
needs than with disk usage. Anyway, it's pretty easy to set up cron
scripts for log file cleanups.
To address your question, I don't
> I'm looking to avoid having to worry about disk space for this sort of
> config.
>
>
You must be joking? Disk space is _very_ cheap nowadays and it's also
possible to use compression ..
--
Eero
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" gro
I think dan mentioned it all - but basically...
Run the register_host.sh and plug in your username@host password
enablepassword
Step 1 e.g. ./register_host.sh ciscouser@1.2.3.4 password enablepassword
Steps 2 and 3 in your list are incorrect. Delete those...
Edit the ossec.conf and add/edit
On Thu, 4 Dec 2014, dan (ddp) wrote:
On Wed, Dec 3, 2014 at 7:51 PM, Jarrod Farncomb wrote:
Hi guys,
I have some Juniper SSG devices which I need log in events to be reported to
OSSEC so that they can be included within the daily report.
From my research, the Juniper SSGs will specifc the OS
I can.
Are you interested in just the important bits as they relate to the decodes
(authentication success/failure), or did you want to see the entire log
file? It's a fairly verbose application, so with the logging level that I
setup on it, it only reports application errors, administrator
f
On Mon, Dec 8, 2014 at 12:13 PM, Michael Starks <
ossec-l...@michaelstarks.com> wrote:
> With real-time checks enabled, it's a time-based security problem. Can the
> agent send the hashes to the manager before the attacker can alter or stop
> them?
Yes: stop OSSEC, start your own agent. This is
Sir,
You can also configure the ASA to send log events via syslog, either
directly to OSSEC or to the syslog daemon on the ossec server, so OSSEC can
monitor that output as well.
Caveat: I am not very familiar with the remote monitoring but it is my
understanding that this would only check the
On Mon, Dec 8, 2014 at 11:55 AM, Semperfi wrote:
> Hello;
>
> I would like to monitor our ASA 5510. Is there any documentation or
> tutorial on monitoring an ASA ?
>
> I have found limited information and my understading.
>
>
>
> 1)I have to edit the register_host.sh, add the host.:
On 2014-12-08 9:56, Damian Gerow wrote:
On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) wrote:
Possibly compromised systems shouldn't have control over a
database
they do not have control over. That's kind of the idea behind
sending
the hashes to the manager. It helps prevent shady behavior.
Hello;
I would like to monitor our ASA 5510. Is there any documentation or
tutorial on monitoring an ASA ?
I have found limited information and my understading.
1)I have to edit the register_host.sh, add the host.: if so,
Where?
2)edit ssh_asa-fwsmconfig_dif
On Mon, Dec 8, 2014 at 11:05 AM, dan (ddp) wrote:
> >> >> Possibly compromised systems shouldn't have control over a database
> >> >> they do not have control over. That's kind of the idea behind sending
> >> >> the hashes to the manager. It helps prevent shady behavior.
> >> >
> >> >
> >> > So,
On Mon, Dec 8, 2014 at 10:56 AM, Damian Gerow wrote:
> On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) wrote:
>>
>> >> Possibly compromised systems shouldn't have control over a database
>> >> they do not have control over. That's kind of the idea behind sending
>> >> the hashes to the manager. It hel
On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) wrote:
> >> Possibly compromised systems shouldn't have control over a database
> >> they do not have control over. That's kind of the idea behind sending
> >> the hashes to the manager. It helps prevent shady behavior.
> >
> >
> > So, possibly compromis
On Mon, Dec 8, 2014 at 10:34 AM, Damian Gerow wrote:
> On Mon, Dec 8, 2014 at 8:01 AM, dan (ddp) wrote:
>>
>> Yes and no. It's cludgy, but you could have a package update trigger
>> an active response on the manager to clear the database. It could be a
>> security issue, handing over some control
On Mon, Dec 8, 2014 at 10:30 AM, Philipp Hoferichter wrote:
> We have an error with installing the OSSEC Server when using Binary
> Installation Mode:
>
> Example:
> 2014/12/08 16:26:46 Could not get ossec gid.
Does the ossec group exist?
> Started ossec-analysisd...
> 2014/12/08 16:26:46 ossec-
On Mon, Dec 8, 2014 at 8:01 AM, dan (ddp) wrote:
> Yes and no. It's cludgy, but you could have a package update trigger
> an active response on the manager to clear the database. It could be a
> security issue, handing over some control of the database to the
> agent, but it should be possible.
>
We have an error with installing the OSSEC Server when using Binary
Installation Mode:
Example:
2014/12/08 16:26:46 Could not get ossec gid.
Started ossec-analysisd...
2014/12/08 16:26:46 ossec-logcollector(1103): ERROR: Unable to open file
'/queue/ossec/.agent_info'.
Started ossec-logcollecto
On Sun, Dec 7, 2014 at 1:20 AM, Bijesh Maskey wrote:
> hi all,
> I have installed and configure ossec server in cent os 6 and two client Win
> 2k8 and cent os as agents running on my virtual box. Ossec is running
> smoothly and detecting all the changes made on the files where the path is
> assign
On Fri, Dec 5, 2014 at 3:19 PM, Brent Morris wrote:
> Wish I could edit that last post!
>
> I forgot a few lines complete local_decoder.xml below.
>
> add the following to local_decoder.xml
>
>
>
> ^pfsvc
>
>
>
>pfsvc-auth
> Pfauth \w+ for user '(\S+)'. Call status:
> (\S
On Mon, Dec 8, 2014 at 7:17 AM, horst knete wrote:
> Hey guys,
>
> we are having an OSSEC server installation on debian with about 210 Windows
> and Linux Ossec-Clients in our network.
>
> Regarding to syscheck we have literally have the default settings of ossec
> that includes a big part of the
On Mon, Dec 8, 2014 at 2:28 AM, Bijesh Maskey wrote:
> my server is running on cent os 6 and i have currently two agents runng one
> lunix cent os 6 and another windows servr 2008. in both the cases ( in
> windows as well as cent os ) i am not getting the log (intrigity check) for
> deleted files.
On Fri, Dec 5, 2014 at 5:35 PM, Christina Plummer wrote:
>
>> > Is there a way to silence an agent for a specific time, so it will not
>> > generate events? During a system update, there shouldn't be any alarms
>> > of
>>
>> You can clear the database, update the system, and then run a new scan.
>
Hey guys,
we are having an OSSEC server installation on debian with about 210 Windows
and Linux Ossec-Clients in our network.
Regarding to syscheck we have literally have the default settings of ossec
that includes a big part of the windows registry and windows directory as
well as most linux
my server is running on cent os 6 and i have currently two agents runng one
lunix cent os 6 and another windows servr 2008. in both the cases ( in
windows as well as cent os ) i am not getting the log (intrigity check) for
deleted files. please let me know if you need any more information. i can
28 matches
Mail list logo